merged with riseup

git-svn-id: https://svn/ipuppet/trunk/modules/sshd@2263 d66ca3ae-40d7-4aa7-90d4-87d79ca94279
author: mh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279> 2008-09-29 22:37:26 +0000
committer: mh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279> 2008-09-29 22:37:26 +0000
commit: 9ce186f5c31c4339d9a92aa73f6c895cc676a633 (patch)
tree: 6e98479704927635113057ad5699de5ac522e392 /manifests
parent: e3ce449ff48f8245f7358cd98b59a86d8ddbf9bf (diff)
1 files changed, 123 insertions, 7 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 95682fd..2a4c449 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,6 +1,7 @@
 #
 # ssh module
 #
+# Copyright 2008, micah@riseup.net
 # Copyright 2008, admin(at)immerda.ch
 # Copyright 2008, Puzzle ITC GmbH
 # Marcel Härry haerry+puppet(at)puzzle.ch
@@ -16,10 +17,23 @@
 # 
 # sshd-config:
 #
-# The configuration of the sshd is rather strict and
-# might not fit all needs. However there are a bunch 
-# of variables, which you might consider to configure. 
-# Checkout the following:
+# The configuration of the sshd is rather strict and might not fit all
+# needs. However there are a bunch of variables, which you might
+# consider configuring.
+#
+# To set any of the following, simply set them as variables in your manifests
+# before the class is included, for example:
+#
+# $sshd_listen_address = ['10.0.0.1 192.168.0.1']
+# $sshd_use_pam = yes
+# include sshd::debian
+#
+# The following is a list of the currently available variables:
+#
+# sshd_listen_address:          specify the addresses sshd should listen on
+#                               set this to ['10.0.0.1 192.168.0.1'] to have it listen on both
+#                               addresses, or leave it unset to listen on all
+#                               Default: empty -> results in listening on 0.0.0.0
 #
 # sshd_allowed_users:           list of usernames separated by spaces. 
 #                               set this for example to "foobar root"
@@ -38,11 +52,54 @@
 # sshd_password_authentication: If you want to enable password authentication or not
 #                               Valid values: yes or no
 #                               Default: no
+#				
+# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
+# 				When disabled, s/key passowords are disabled
+# 				Valid values: yes or no
+#				Default: no
 # 
+# sshd_tcp_forwarding:		If you want to enable TcpForwarding
+# 				Valid Values: yes or no
+#				Default: no
+#
 # sshd_x11_forwarding:          If you want to enable x11 forwarding 
 #                               Valid Values: yes or no
 #                               Default: no
 #
+# sshd_agent_forwarding:	If you want to allow ssh-agent forwarding
+# 				Valid Values: yes or no
+#				Default: no
+#
+# sshd_pubkey_authentication:	If you want to enable public key authentication
+# 				Valid Values: yes or no
+#				Default: yes
+#
+# sshd_rsa_authentication:	If you want to enable RSA Authentication
+# 				Valid Values: yes or no
+#				Default: no
+#				
+# sshd_rhosts_rsa_authentication:	If you want to enable rhosts RSA Authentication
+# 				Valid Values: yes or no
+#				Default: no
+#
+# sshd_hostbased_authentication: If you want to enable HostbasedAuthentication
+# 				 Valid Values: yes or no
+#				 Default: no
+#				
+# sshd_strict_modes:		If you want to set StrictModes (check file modes/ownership before accepting login)
+# 				Valid Values: yes or no
+#				Default: yes
+#
+# sshd_permit_empty_passwords:	If you want enable PermitEmptyPasswords to allow empty passwords
+# 				Valid Values: yes or no
+#				Default: no
+#
+# sshd_port:                    If you want to specify a different port than the default 22
+#                               Default: 22
+#
+# sshd_authorized_keys_file:    Set this to the location of the AuthorizedKeysFile (e.g. /etc/ssh/authorized_keys/%u)
+#                               Default: AuthorizedKeysFile	%h/.ssh/authorized_keys
+#
 
 class sshd {
     include sshd::client 
@@ -60,7 +117,11 @@ class sshd {
 
 
 class sshd::base {
-    # prepare variables to use in templates 
+    # prepare variables to use in templates
+    $real_sshd_listen_address = $sshd_listen_address ? {
+      '' => [ '0.0.0.0', '::' ],
+      default => $sshd_listen_address
+    }
     $real_sshd_allowed_users = $sshd_allowed_users ? {
         ''  => '',
         default => $sshd_allowed_users
@@ -77,17 +138,68 @@ class sshd::base {
         '' => 'no',
         default => $sshd_password_authentication
     }
+    $real_sshd_tcp_forwarding = $sshd_tcp_forwarding ? {
+    	'' => 'no',
+	default => $sshd_tcp_forwarding
+    }
     $real_sshd_x11_forwarding = $sshd_x11_forwarding ? {
         '' => 'no',
         default => $sshd_x11_forwarding
     }
-
+    $real_sshd_agent_forwarding = $sshd_agent_forwarding ? {
+    	'' => 'no',
+	default => $sshd_agent_forwarding
+    }
+    $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
+        '' => 'no',
+	default => $sshd_challenge_response_authentication
+    }
+    $real_sshd_pubkey_authentication = $sshd_pubkey_authentication ? {
+    	'' => 'yes',
+	default => $sshd_pubkey_authentication
+    }
+    $real_sshd_rsa_authentication = $sshd_rsa_authentication ? {
+    	'' => 'no',
+	default => $sshd_rsa_authentication
+    }
+    $real_sshd_strict_modes = $sshd_strict_modes ? {
+    	'' => 'yes',
+	default => $sshd_strict_modes
+    }
+    $real_sshd_ignore_rhosts = $sshd_ignore_rhosts ? {
+        '' => 'yes',
+	default => $sshd_ignore_rhosts
+    }
+    $real_sshd_rhosts_rsa_authentication = $sshd_rhosts_rsa_authentication ? {
+    	'' => 'no',
+	default => $sshd_rhosts_rsa_authentication
+    }
+    $real_sshd_hostbased_authentication = $sshd_hostbased_authentication ? {
+    	'' => 'no',
+	default => $sshd_hostbased_authentication
+    }
+    $real_sshd_permit_empty_passwords = $sshd_permit_empty_passwords ? {
+    	'' => 'no',
+	default => $sshd_permit_empty_passwords
+    }
+    $real_sshd_port = $sshd_port ? {
+      '' => 22,
+      default => $sshd_port
+    }
+    $real_sshd_authorized_keys_file = $sshd_authorized_keys_file ? {
+      '' => "%h/.ssh/authorized_keys",
+      default => $sshd_authorized_keys_file
+    }
+      
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',
         owner => root,
         group => 0,
         mode => 600,
-        content => template("sshd/sshd_config/${operatingsystem}_normal.erb"),
+        content => $lsbdistcodename ? {
+          '' => template("sshd/sshd_config/${operatingsystem}.erb"),
+          default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
+        },
         notify => Service[sshd],
     }
     # Now add the key, if we've got one
@@ -127,6 +239,10 @@ class sshd::gentoo inherits sshd::linux {
 }
 
 class sshd::debian inherits sshd::linux {
+
+  # the templates for Debian need lsbdistcodename
+  include assert_lsbdistcodename
+  
     Package[openssh]{
         name => 'openssh-server',
     }
author	mh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279>	2008-09-29 22:37:26 +0000
committer	mh <mh@d66ca3ae-40d7-4aa7-90d4-87d79ca94279>	2008-09-29 22:37:26 +0000
commit	9ce186f5c31c4339d9a92aa73f6c895cc676a633 (patch)
tree	6e98479704927635113057ad5699de5ac522e392 /manifests
parent	e3ce449ff48f8245f7358cd98b59a86d8ddbf9bf (diff)